Page 2 of 2 FirstFirst 12
Results 16 to 20 of 20

Thread: Modifying NTDLL ?

  1. #16
    Quote Originally Posted by deroko View Post
    That's why you hook NtCreateFile and NtOpenFile so when it asks for ntdll.dll on disk you simply redirect to your patched dll.
    I still do not understand your claim that hooking 2 additional things is easier in some way than altering a few bytes in NTDLL to allow interception of a function which I must hook anyway ? My modifications amount to approx 60 bytes of new asm, 2x32 bytes of replaced asm, 8 reloc fixups and EAT RVA and section header fixups. All mods are contained to NTDLL the execution/debugging of the asm changes can be completed inside the emulator.

    But you are claiming that it easier to leave NTDLL untouched, then dynamically patch the address space when the target is being loaded/run and then to intercept an additional 2 calls (that haven't been necessary to intercept so far) to point to another file. This file then needs to have the contents of what is in memory but reconstructed as an EXE.


    I am after the runtime address space to be as original as possible to an unpatched system. This is because I am trying to verify a live system against an emulated system, I am not primarily trying to reverse engineer on the Win32 system. That is just slow and a waste of time compared to the reveng speed-up gained by using an emulator as the primary reveng method.

  2. #17
    Thanks for the clarification of the explanation BanMe.

    There are other anti-debugging techniques in use by the target:
    * VirtualQuery (yeah yeah we can intercept that too)
    * Using SEH to then deliberately test that pages are not there. Walking the address space and doing a memory access to a page. Hmm... it is now a bit harder to hide the real DLL now isn't it ?

    I'm sure I could go on with the anti-debugging / anti-reversing counter measures the target has implemented. This is why the emulation has been such a good way to see what is going on in such a short space of time.

    The advise is great and all; I can understand that it makes sense to you to employ these solutions. But the challenge/goals/specification I keep posing has the same basic goal, all modifications must be in-board of the affected DLLs and look as real as they can be (because there is a lot of other factors I am aware of).
    Last edited by Nido; May 22nd, 2009 at 14:16.

  3. #18
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    does the protection you're looking at also check the digital signature on ntdll.dll? if you patch the file, the signature won't be valid anymore.

  4. #19
    Quote Originally Posted by disavowed View Post
    does the protection you're looking at also check the digital signature on ntdll.dll? if you patch the file, the signature won't be valid anymore.
    Is the digital signature part of the WPF system ? I have seen the symbol:

    ADVAPI32.DLL!CryptVerifySignatureA

    located via GetProcAddress() but it has not been used yet (I guess because I am still looking at decoy execution paths).

  5. #20
    Quote Originally Posted by Nido View Post
    I still do not understand your claim that hooking 2 additional things is easier in some way than altering a few bytes in NTDLL to allow interception of a function which I must hook anyway ? My modifications amount to approx 60 bytes of new asm, 2x32 bytes of replaced asm, 8 reloc fixups and EAT RVA and section header fixups. All mods are contained to NTDLL the execution/debugging of the asm changes can be completed inside the emulator.
    Do themida or winlic, go trough that code which I wrote, and eventually you will see what I'm doing and why.

    if your approach works, that's good, do it like that... if my approach seems complicated, simply don't use it, I know that it's not complicated, as I'm using it daily.

Similar Threads

  1. A Modifying Binaries Tutorial
    By R4ndom in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: August 1st, 2012, 12:54
  2. Modifying an online game
    By selkov in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: September 4th, 2007, 14:12
  3. Modifying the stack
    By 5aLIVE in forum OllyDbg Support Forums
    Replies: 5
    Last Post: July 4th, 2005, 08:37
  4. Modifying SetTimer
    By tonyxxy in forum OllyDbg Support Forums
    Replies: 5
    Last Post: May 16th, 2004, 09:45
  5. Modifying FP Registers
    By anonymous in forum OllyDbg Support Forums
    Replies: 1
    Last Post: June 25th, 2003, 23:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •